Avatar of Enlightx
Enlightx
 asked on

Active Directory issues main server failing

currently have a network setup with the following servers

Computer name               OS
Server                                 Windows 2003 SBS
Data                                    Windows 2003 Std
Exchange                           Windows 2008 Std running exchange 2010

i have been migrating exchange from server to exchange servers as well as moving DHCP, DNS and active directory roles.
server (2003 SBS) is now hardware failing so i was hoping to get the server down and removed from the directory.

Currently having lots of issues with the active directory to the point were if Server is offline no computers can login even thought all roles have been moved to Exchange.

I have attached a dcdiag which was run on the exchange server.  looks to me like DNS entrys are wrong but need help working it out.
dcdiag.txt
Windows Server 2008Windows Server 2003SBS

Avatar of undefined
Last Comment
sinfocomar

8/22/2022 - Mon
sinfocomar

An error such as Fatal Error:DsGetDcName can be caused by various reasons.

Please post:
How many DCs in the forest?
An unedited ipconfig /all from the DCs and from a sample workstation
Any Event log errors?  - We'll need the EventID# and the Source Name in the errors. You can use the copy/paste function in the event viewer.
What operating system and service pack level are the server?
Member_2_6492660_1

Another error I saw was no GC Global Catalogs found.

It is not best practice to make your exchange server a DC

As the post above asked

How many DC's you have?

run dcdiag on all and post.
Enlightx

ASKER
i was just going to post them up for you but "server" has gone down again killing the other server in the process.  

Cannot get access to "server" untill tomorrow now to get it and "data" back online.

my plan was to get "exchange" running the network and then when all is quite then replace "data" which would then be the future main DC leaving exchange alone to do its thing.

i think the main thing i need to sort is why the network refuses to see "exchange" as a DC for logins if i can sort this at least i can get the network up and running as "server" is powering down every 4 - 5 hours currently dont think its gonna last much longer

to note in total 3 DC servers all set as global catalog, i have moved FSMO roles to exchange but rest of network does not seem to recogise this and is still trying to go to "server"
ipconfig---exchange.txt
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Enlightx

ASKER
managed to get one of the data server online as well as a client to login attaching ipconfigs and dcdiags from them as well

When pinging upandunder.local on client and data server

both report 192.168.0.200 (which is faulty server which is currently offline)

pinging upandunder.local on exchange server points to itself (192.168.0.25)

how do i update DNS server to point correctly?
dcdiag---data.txt
ipconfig---data.txt
ipconfig---client.txt
Member_2_6492660_1

Well your DNS server entry is not correct on exchange. 127.0.0.1  is not a valid DNS server entry.

Your other computer data has 192.168.0.25 for the DNS server   who is 192.168.0.25 ?

The Two DC's  other than exchange should also be running DNS

Do not put any AD roles on Exchanges Server Not good Practice

Again do not make exchange a DC
Enlightx

ASKER
i have now changed DNS entry to 192.168.0.25 (itself thought i was okay with 127.0.0.1)

192.168.0.25 is "exchange"

other 2 DCs are soon to be replaced ("server is failing/failed) so didnt see point in having DNS on there when its running on "exchange"

in regards to running AD roles on exchange server this is only a temporary measure while other server is migrated. what are the down sides to doing this?  i dont plan on leaving it this way permanently.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Member_2_6492660_1

Ok I see

Lets see if computers can logon to the AD now.

They are all using DHCP correct? pointing to 192.168.0.25 for DNS
Enlightx

ASKER
All Clients are using DHCP and DHCP sets 192.168.0.25 as DNS server

iv tried to login using a client and it does seem to login after a while.

also takes a long time to logout also

pinging upandunder.local from the client comes back as 192.168.0.70 (data DC server not exchange)
if i then run ipconfig /flushdns

it then comes back as 192.168.0.25
Member_2_6492660_1

Post ipconfig /all from that computer
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Enlightx

ASKER
Windows IP Configuration

        Host Name . . . . . . . . . . . . : oem-4a3b72d24f4
        Primary Dns Suffix  . . . . . . . : upandunder.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : upandunder.local
                                            upandunder.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : upandunder.local
        Description . . . . . . . . . . . : Realtek RTL8168D(P)/8111D(P) PCI-E G
igabit Ethernet NIC
        Physical Address. . . . . . . . . : 00-25-22-81-52-01
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.0.93
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
        DHCP Server . . . . . . . . . . . : 192.168.0.25
        DNS Servers . . . . . . . . . . . : 192.168.0.25
        Lease Obtained. . . . . . . . . . : 19 May 2014 19:35:27
        Lease Expires . . . . . . . . . . : 27 May 2014 19:35:27


to note: early uploaded file ipconfig -client was incorrect file that was from exhange server
Member_2_6492660_1

try this

ipconfig /all >c:\ipcfg.txt

that will save it to a file then copy it to the computer you are using for this site attach the file
Enlightx

ASKER
file attached.
ipcfg.txt
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Member_2_6492660_1

was 192.168.0.70 a DNS server before?

If so are the DNS server services still running?

Another thing what is 192.168.0.1 Cisco?

Check to see what DNS settings are in that device
Enlightx

ASKER
192.168.0.70 was once a DNS server as a backup but has since been removed

192.168.0.1 is company ADSL router (DHCP Disabled)
its used as a gateway and also for external DNS requests

to note running DCDiag on the server still says no GC servers are available its as if even the server itself cannot see it self
Member_2_6492660_1

Ok

Check the ADSL router for its local network settings make sure its local lan connection is pointing 192.168.0.25 and not 192.168.0.70

I would flush dns on the router I  believe it still has 192.168.0.70 cached


Are you sure the Exchange server has been made a GC double check that.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Enlightx

ASKER
How do I check exchange is running as gc ?

Box is ticked when I right click computer in sites and services
Member_2_6492660_1

try this

 dsquery server -isgc
Enlightx

ASKER
get this back as the result :

"CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=up
andunder,DC=local"
"CN=DATA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=upan
dunder,DC=local"
"CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=
upandunder,DC=local"

i have also changed external DNS lookups now to google incase of adsl router causing issue.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Enlightx

ASKER
looking deeper into things it looks like i have no netlogon on the 2 working servers !  This would explain why clients are having a hard time logging in when only these 2 servers are online.

When running dcdiag /test:netlogons

Windows 2008 machine fails on
unable to connect to the netlogon share! (\\exchange\netlogon)
[exchange] an net use or LsaPolicy operation failed with error 67
the network name cannot be found

Windows 2003 machine fails on
Unable to connect to the netlogon share! (\\data\netlogon)
[data[ an net use or lsapolicy operation failed with error 1203, win 32 error 1203

it looks like the main server (which is now badly failing due to faulty HDD and overheating issues) is not replacting to the other servers because of this.

what should i do ?
Member_2_6492660_1

run this netdom query FSMO

Are you sure the roles transferred to exchange?

check DC -> NTDS settings    what do you have there?
sinfocomar

You need to implement your contingency plan pronto. You can't even think of doing anything before backing up that server and replacing it. Image the HDD to a new one and get a server that doesn't overheat. I do not recommend working on the AD records without having a stable hardware platform in place.

Afterwards you can check who has what role, whats missing, etc...
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Enlightx

ASKER
theres no hard data on the server this has all been moved away.

can you recommend a method for backing up the active direcory?

both of the other DC seem to have replicated all usernames passwords etc okay just seems like netlogon and GC stuff is not going.

Looks like there has been some DNS issues in the past which im sorting out atm then i think to get replication running okay then ill move the FSMO roles again (moved them back to original server for now to get network up and running)

have also sent someone out onsite to stop old server overheating and crashing :)
Enlightx

ASKER
iv now got DNS workin correctly on all 3 DCs and they can all see each other correctly and DNS tests all pass (they didnt before)

currently trying to sort the netlogon issues with the data server as there are no sysvol or netlong shares there

if i can get this server working i can then move all fsmo roles to this server

running dcdiag /test:netlogons  i get the following

Doing primary tests

   Testing server: Default-First-Site-Name\DATA
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DATA\netlogon)
         [DATA] An net use or LsaPolicy operation failed with error 1203, Win32
Error 1203.
         ......................... DATA failed test NetLogons
sinfocomar

Good job. You should transfer all Active Directory roles. After that you can discard the old server with or without dcpromo delete http://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx. If you remove it while its still active, I guess its a cleaner process.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Enlightx

ASKER
problem is i have no netlogon os sysvol on any server other then failing server.

so even if i do move fsmo roles clients still wont be able to logon.

trying every fix i can find that error 1203 and cannot get share folders to appear
sinfocomar

Did you install the feature NTFRS on the 2008 servers which is used in 2003 domains to perform sysvol replication?

Run repadmin /showreps and post output

NFRS is under the role file services - add role services - windows server 2003 file services (file replication service)
Enlightx

ASKER
just installed the role in 2008 server (to note data server is 2003 currently main objective is to get that running the network i can worry about the 2008 which is running exchange server later)

didnt know which server you wanted repadmin /showreps running from so attached all 3
repadmin---exchange.txt
repadmin---server.txt
repadmin---data.txt
Your help has saved me hundreds of hours of internet surfing.
fblack61
sinfocomar

After installing NFRS, run the following command on all servers

ntfrsutl ds |findstr /i "root stage"
Enlightx

ASKER
Exchange :
Root      : c:\windows\sysvol\domain
Stage     : c:\windows\sysvol\staging\domain

Server :
Root      : c:\windows\sysvol\domain
Stage     : c:\windows\sysvol\staging\domain

Data :
Root      : c:\windows\sysvol\domain
Stage     : c:\windows\sysvol\staging\domain

(i didnt install anything on 2003 servers for NFRS i take it this is correct?)
sinfocomar

No need to install anything on 2003 server.

Any errors in event on 2008 servers?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Enlightx

ASKER
from what i can see i was getting file replication warnings from server to exchange but these stopped an hour ago and nothing since then

getting some MSexchange ADAccess errors
Process MAD.EXE (PID=1236). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
SERVER.upandunder.local      CDG 1 7 7 1 0 1 1 7 1
data.upandunder.local      CDG 1 7 7 1 0 1 1 0 1
EXCHANGE.upandunder.local      CDG 1 7 7 1 0 1 1 0 1
 Out-of-site:
sinfocomar

Good. Do you have the shares now?
Enlightx

ASKER
Hi

no still no shares :(

Server has sysvol & netlogon

exchange has sysvol

data has nothing

do you think running DC promo on data to remove it as a DC then running again might help?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Member_2_6492660_1

You need to get replication working between data and exchange.

Do not dcpromo until exchange AD is working correctly
Enlightx

ASKER
right just performed a reboot on the exchange server.

get the attached event

when i browse to \\upandunder.local\
it looks like its going to the \\data share which doesnt have a sysvol or netlogon so cannot get the GPO
event.txt
sinfocomar

On your 2008 servers.
    1. Stop NTFrs Service.
    2. Delete "dns domain name" folder from c:\windows\SYSVOL\staging areas.
    3. Create the junction point by running the following command: mklink /J "c:\windows\syslog\staging areas\dns domain name" c:\windows\sysvol\staging\domain
    4. Delete the "dns domain name" folder from c:\windows\SYSVOL\sysvol.
    5. Create the junction point by running the followign command: mklink /J c:windows\sysvol\sysvol\dns domain name c:\windows\sysvol\domain
    5. Start the NTFrs service

Check for errors in Event
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Enlightx

ASKER
when running

mklink /J "c:\windows\syslog\staging areas\dns domain name" c:\windows\sysvol\staging\domain

in cmd line getting the following
The system cannot find the path specified.
Enlightx

ASKER
also tried the following with same effect

mklink /J "c:\windows\syslog\staging areas\upandunder.local" c:\windows\sysvol\staging\domain
sinfocomar

Did you change "dns domain name" for your own?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Enlightx

ASKER
Yeah

Used


mklink /J "c:\windows\syslog\staging areas\upandunder.local" c:\windows\sysvol\staging\domain
Enlightx

ASKER
got the command working now and restarted ntfrs

no errors as of yet but also no netlogon share
Member_2_6492660_1

Here I found this that might help you

http://support.microsoft.com/kb/947022
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
sinfocomar

Seems to be damaged beyond what I initially estimated. Lets reset the whole tree to be sure.

Did you at least get the Sysvol share back?
Enlightx

ASKER
yeah already got the sysvol share back a few days ago on exchange

nothing at all on data (windows 2003 std)
sinfocomar

Can you add another DC, a temporary one to hold the roles and to work on? 2003 if possible
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Enlightx

ASKER
Yeah it's possible I suppose

Let me see what I can sort out
ASKER CERTIFIED SOLUTION
sinfocomar

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Enlightx

ASKER
Try this before putting another server in or after ?
sinfocomar

I'd do it after and on the temp server
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Enlightx

ASKER
okay im off the next 4 - 5 days so ill get something plumbed in next week.

in mean time should i backup from the old server using NTBackup to backup the Active D ?
sinfocomar

I'd download a trial version of Backup Exec for a complete backup and later easy restore.

https://www4.symantec.com/Vrt/offer?a_id=91523
or
https://www4.symantec.com/Vrt/offer?a_id=30140
Enlightx

ASKER
Just an update iv managed to get replication working correctly now :) and data server does indeed have netlong and sysvol shares. waiting on exchange server to replcate and hopefully that will have them as well.  Then i can get on with moving FSMO roles and getting failing server offline

what i did was run the following on the failing server on the network

To fix the problem, you must designate a domain controller to be authoritative for the Sysvol replica set:
1. Stop the File Replication service on the PDC emulator FSMO role holder.
2. Use the Registry Editor to navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Paramaters\Backup/Restore\Process at Startup.

3. Double-click the BurFlags Value Name, a REG_DWORD data type, and set the data value to D4, using the Hex radix.
4. Exit the Registry Editor.
5. Start the File Replication service.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
sinfocomar

Excelent! Sounds promising.